US11960588B2ActiveUtilityA1

Security services in a software defined control system

98
Assignee: FISHER ROSEMOUNT SYSTEMS INCPriority: Jun 16, 2021Filed: Sep 29, 2021Granted: Apr 16, 2024
Est. expiryJun 16, 2041(~14.9 yrs left)· nominal 20-yr term from priority
G06F 21/33G06F 21/6218H04L 9/321H04L 9/3247H04L 9/3263G06F 2221/2113G05B 19/4185H04L 63/0823G05B 2219/33139Y02P90/02G05B 19/418G06F 9/45558H04L 63/10
98
PatentIndex Score
16
Cited by
61
References
15
Claims

Abstract

A software defined (SD) process control system (SDCS) includes a control container having contents which are executable during run-time of the process plant to control at least a portion of an industrial process. The SDCS also includes a security service associated with the control container and including contents which define one or more security conditions. The security service executes via a container on a compute node of the SDCS to control access to and/or data flow from the control container based on the contents of the security container.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for role-based authorization in a software defined process control system (SDCS), the method comprising:
 obtaining, via a security service executing via a container on a compute node within the software defined process control system (SDCS), a request to access another service within the SDCS from a user; 
 determining, by the security service, an authorization level of the user based on the request; 
 determining, by the security service, whether the user is authorized to access the other service based on the authorization level; and 
 in response to determining the user is authorized to access the other service, providing, by the security service, the user access to the other service. 
 
     
     
       2. The method of  claim 1 , further comprising:
 authenticating, via an authentication service executing via a container on a compute node within the SDCS, the user via a certificate included in the request, 
 wherein determining the authorization level includes obtaining the authorization level of the user from the certificate. 
 
     
     
       3. The method of  claim 2 , wherein authenticating the user includes determining that the certificate includes a digital signature by a certificate authority. 
     
     
       4. The method of  claim 2 , wherein the type of certificate assigned to the user is based on the authorization level of the user, and the security service determines the user's authorization level based on the type of certificate included in the request. 
     
     
       5. The method of  claim 1 , wherein the security service provides the user access to the other service in a first instance, and further comprising:
 in a second instance, in response to determining the user is not authorized to access the other service, preventing, by the security service, access to the other service. 
 
     
     
       6. The method of  claim 1 , further comprising:
 determining a minimum threshold authorization level for accessing the other service; and 
 determining that the user is authorized to access the other service in response to determining that the authorization level for the user meets or exceeds the minimum threshold authorization level. 
 
     
     
       7. The method of  claim 1 , wherein obtaining a request to access another service includes obtaining the request to access the other service from a physical or logical asset of the process plant which is controlled by the user. 
     
     
       8. A software defined process control system (SDCS) to control an industrial process in a process plant, the SDCS comprising:
 a certificate authority service executing via a container on a compute node of the SDCS to:
 obtain a request for a certificate from a physical or logical asset of the process plant utilized during run-time of the process plant to control at least a portion of the industrial process, the request including identification information for the physical or logical asset; 
 verify an identity of the physical or logical asset based on the identification information; 
 generate a certificate for the physical or logical asset including a cryptographic public key for the physical or logical asset, an identifier for the certificate authority service, and a digital signature for the certificate authority service to prove that the certificate has been generated by the certificate authority service; and 
 provide the certificate to the physical or logical asset to be used to authenticate the physical or logical asset when interacting with other services of the SDCS. 
 
 
     
     
       9. The SDCS of  claim 8 , further comprising:
 an authentication service executing via a container on a compute node of the SDCS to:
 obtain a request to authenticate the physical or logical asset in response to a request by the physical or logical asset to access another service of the SDCS; 
 obtain the certificate assigned to the physical or logical asset; 
 authenticate the physical or logical asset by determining that the certificate includes a digital signature by a certificate authority; and 
 provide an indication that the physical or logical asset is authenticated for accessing the other service. 
 
 
     
     
       10. The SDCS of  claim 9 , further comprising
 an encryption service executing via a container on a compute node of the SDCS to:
 receive data from the other service of the SDCS; 
 encrypt the data using the public cryptographic key for the physical or logical asset; and 
 provide the encrypted data to the physical or logical asset. 
 
 
     
     
       11. A method for authenticating a physical or logical asset of a process plant, the method comprising:
 obtaining, by a security service executing via a container on a compute node within a software defined process control system (SDCS), a request from the physical or logical asset of the process plant to access another service executing via a container on a compute node within the SDCS, the request including a certificate, wherein the physical or logical asset of the process plant is utilized during run-time of the process plant to control at least a portion of the industrial process; 
 verifying, by an authentication service executing via a container on a compute node of the SDCS, authenticity of the physical or logical asset based on the certificate; and 
 providing, by the security service, access to the other service in response to verifying authenticity of the physical or logical asset. 
 
     
     
       12. The method of  claim 11 , further comprising:
 obtaining, by the security service, a cryptographic public key for the physical or logical asset from the certificate; 
 encrypting, by the security service, data from the other service using the cryptographic public key; and 
 providing, by the security service, the encrypted data to the physical or logical asset. 
 
     
     
       13. The method of  claim 11 , further comprising:
 determining, by the security service, an authorization level of a user controlling the physical or logical asset based on the request; and 
 determining, by the security service, whether the user is authorized to access the other service based on the authorization level; 
 wherein the security service provides access to the other service in response to determining the user is authorized to access the other service and verifying the authenticity of the physical or logical asset. 
 
     
     
       14. The method of  claim 13 , wherein determining whether the user is authorized to access the other service based on the authorization level includes:
 determining a minimum threshold authorization level for accessing the other service; and 
 determining that the user is authorized to access the other service in response to determining that the authorization level for the user meets or exceeds the minimum threshold authorization level. 
 
     
     
       15. The method of  claim 11 , wherein verifying authenticity of the physical or logical asset includes determining that the certificate includes a digital signature by a certificate authority.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.